b'                       MEMORANDUM REPORT 01-IT-M-084\n                  Strong Management Support Needed to Ensure the\n                            Broadcasting Board of Governors\n             Complies with the Government Information Security Reform Act\n                                    September 2001\n\n\n        In response to the Government Information Security Reform Act (GISRA), Public Law\n106-398, the Office of Inspector General (OIG) performed an independent evaluation of the\ninformation security program of the Broadcasting Board of Governors (BBG). Specific\nobjectives of our review were to identify the BBG\xe2\x80\x99s policies and procedures for securing\ninformation on its information systems and to determine whether the BBG is effectively\nimplementing requirements of the Government Information Security Reform Act.\n\nRESULTS IN BRIEF\n\n         When OIG began its review in February 2001 BBG did not have a documented, agency-\nwide information security program as required by GISRA and had not documented security level\nrequirements for its systems. Since then, the BBG has appointed a Chief Information Officer\n(CIO) and has made some progress toward establishing an information security program. For\nexample, in July 2001, the CIO issued a draft paper outlining a framework for the BBG\nInformation Security Program, including a discussion of roles and responsibilities, training\nrequirements, and the agency\xe2\x80\x99s enterprise architecture. OIG is encouraged by these steps to\ncomply with GISRA and recommends that the BBG complete work on developing its\ninformation security program by the end of October 2001 and include a discussion of these\nefforts in its remediation plan, which is due to the Office of Management and Budget on October\n31, 2001.\n\nBACKGROUND\n\n        The U.S. International Broadcasting Act of 1994 (Public Law 103-236), created the BBG\nas a self-governing element within the former United States Information Agency, which\nprovided some administrative, technical, and management support to BBG. The Foreign Affairs\nReform and Restructuring Act of 1998 (Public Law 105-277) granted the BBG independence\nfrom the United States Information Agency on October 1, 1999. BBG is responsible for\noverseeing all U.S. Government-funded, civilian broadcasting, including the operations of the\nInternational Broadcasting Bureau (IBB), which includes the broadcasting entities of Voice of\nAmerica, Worldnet Television and Film Service, and Office of Cuba Broadcasting. BBG also\noversees two grantee organizations\xe2\x80\x94Radio Free Europe/Radio Liberty and Radio Free Asia.\n\n       Information security is an important consideration for any organization that depends on\ninformation systems and computer networks to carry out its mission or business. Computer-\nsupported government operations, including those at the BBG, are at increasing risk. The\ndramatic expansion in computer interconnectivity and the rapid increase in the use of the Internet\nare changing the way our government, the nation, and much of the world communicate and\nconduct business. However, without proper safeguards, these developments pose enormous risks\n\x0cthat make it easier for individuals and groups with malicious intent to intrude into inadequately\nprotected systems and use such access to obtain sensitive information, commit fraud, disrupt\noperations, or launch attacks against other computer networks and systems. Further, the number\nof people with computer skills is increasing, and intrusion techniques and tools are readily\navailable and relatively easy to use. The rash of cyber attacks launched in February 2000 against\nmajor U.S. firms and the global disruption caused by the \xe2\x80\x9cILOVE YOU\xe2\x80\x9d virus in May 2000\nillustrate the risks associated with this new electronic age.\n\n        Faced with growing concerns about information security risks to the Federal\nGovernment, the Congress passed and the President signed GISRA into law in late 2000.\nGISRA provides: (1) a comprehensive framework for establishing and ensuring the\neffectiveness of controls over information resources that support Federal operations and assets;\nand, (2) a mechanism for improved oversight of Federal agency information security programs.\nSpecifically, GISRA requires each agency to:\n\n   \xe2\x80\xa2   identify, use, and share best security practices;\n   \xe2\x80\xa2   develop an agency-wide information security plan;\n   \xe2\x80\xa2   incorporate information security principles and practices throughout the life cycles of the\n       agency\xe2\x80\x99s information systems; and\n   \xe2\x80\xa2   ensure that the information security plan is practiced throughout all life cycles of the\n       agency\xe2\x80\x99s information systems.\n\n        In addition, GISRA assigns the agency\xe2\x80\x99s CIO authority to administer key functions under\nthe statute, including:\n\n   \xe2\x80\xa2   designating a senior agency information security official who shall report to the CIO;\n   \xe2\x80\xa2   developing and maintaining an agency-wide information security program;\n   \xe2\x80\xa2   ensuring that the agency effectively implements and maintains information security\n       policies, procedures, and control techniques; and\n   \xe2\x80\xa2   training and overseeing personnel with significant responsibilities for information\n       security.\n\n        Finally, in addition to a number of other provisions, GISRA requires that each agency\nhave an annual independent evaluation performed of its information security program and\npractices. The Inspector General or another independent evaluator performing these evaluations\nmay use any audit, evaluation, or report relating to the effectiveness of the agency\xe2\x80\x99s information\nsecurity program. The agency is required to submit the independent evaluation, along with its\nown assessment, to the Office of Management and Budget as part of its annual budget request.\n\nPURPOSE, SCOPE, AND METHODOLOGY\n\n         Section 3535 of GISRA directs each agency to have conducted an independent evaluation\nof its information security program and practices. In response to GISRA, the Office of Inspector\nGeneral conducted this review with the specific objectives of: (1) identifying the BBG\xe2\x80\x99s policies\nand procedures for securing information on its information systems; and (2) determining whether\n\n\n                                                2\n\x0cthe BBG is in compliance with GISRA with regard to establishing and ensuring the effectiveness\nof controls over information resources.\n\n        To fulfill our review objectives, we met with officials from organizations throughout\nBBG including the IBB, Voice of America, and Worldnet Television and Film Service. We\nspoke with officials from the Office of Cuba Broadcasting, but did not conduct any field work at\nits headquarters in Miami. The Office of Cuba Broadcasting had become aware of GISRA\nrequirements only in June 2001 and requested time to develop and implement compliance\nmeasures. Also, OIG did not conduct detailed review work with the BBG\xe2\x80\x99s grantee\norganizations, Radio Free Europe/Radio Liberty, and Radio Free Asia. They are private\nnonprofit organizations that own and operate their own information technology systems.\n\n        In addition to detailed discussions with appropriate BBG management and staff, we\ndeveloped and used a questionnaire based on the National Institute of Standards and\nTechnology\xe2\x80\x99s Self-Assessment Guide for Information and Technology Systems. We collected\nother pertinent supporting information security documentation as appropriate. We did not\nreview technical controls during this evaluation because BBG was still developing its security\nprogram. We followed generally accepted government auditing standards and conducted such\ntests and procedures as were considered necessary to the assignment. We obtained written\ncomments on a draft of this report from BBG and revised the report where appropriate. The\nBBG\xe2\x80\x99s comments are included in Appendix A. Staff from our Information Technology Issue\nArea performed this evaluation from February 2001 through August 2001. Contributors to this\nreport were Frank Deffer, James Davies, Tim Fitzgerald, Robert Taylor, Anthony Carbone,\nSharon Hunter, Chris Watson, and Matthew Worner. Comments or questions about the report\ncan be directed to Mr. Deffer at defferf@state.gov or at (703) 284-2715 or to Mr. Davies at\ndaviesj@state.gov or at (703) 284-2673.\n\n\n\n\n                                               3\n\x0cAUDIT FINDINGS\nBROADCASTING BOARD OF GOVERNORS SHOWS PROGRESS IN\nESTABLISHING AN INFORMATION SECURITY PROGRAM\n\n        When OIG began its review in February 2001, the BBG did not have a documented\ninformation security program or written policies and procedures covering information security.\nOIG\xe2\x80\x99s independent evaluation revealed that BBG\xe2\x80\x99s senior management began actions in early\n2001, to respond to GISRA requirements. The BBG is now developing its information systems\nsecurity program. OIG is supportive of the direction in which the agency is headed at this time\nand has refrained from making numerous detailed recommendations. OIG encourages BBG\nsenior management and staff to develop the information security program that they believe is\nbest for their agency.\n\nInformation Security Controls Required\n\n         Upon initiating this evaluation in February 2001, OIG found that BBG had not developed\nwritten policies and procedures for establishing commonly used information security controls.\nOIG found that BBG primarily uses commercial off-the-shelf software and identified 49 systems\nthat it was operating at the time of our evaluation. Using questions taken from the National\nInstitute of Standards and Technology\xe2\x80\x99s Self-Assessment Guide, OIG held discussions with\nseveral system owners and found that they were not using standard information security controls\nwhile managing their systems and that system security level determinations had not been\ndocumented. Furthermore, other key items that would support a stronger risk management\napproach to information security as called for under GISRA were missing. They include:\n\n   \xe2\x80\xa2   risk assessments;\n   \xe2\x80\xa2   contingency plans;\n   \xe2\x80\xa2   vulnerability testing;\n   \xe2\x80\xa2   an information security training program; and\n   \xe2\x80\xa2   procedures for detecting, reporting, and responding to security incidents.\n\nBBG Takes Steps to Develop an Agency-wide\nSystems Security Program and Plans\n\n        Since February 2001, the agency has taken a number of steps to develop an information\nsecurity program to meet GISRA requirements. Specifically, the BBG designated IBB\xe2\x80\x99s\nassociate director for management as the CIO. The CIO is responsible for establishing agency\ninformation management policy and for administering the agency\xe2\x80\x99s information security\nprogram. In July 2001, the CIO issued a draft outline of a framework for the BBG\xe2\x80\x99s Information\nSecurity Program, including a description of:\n\n   \xe2\x80\xa2   roles and responsibilities of key officials, such as the CIO, program officials, office\n       directors, the Broadcast Technology Steering Committee, and the user;\n   \xe2\x80\xa2   training requirements to ensure that employees understand their security obligations; and\n\n\n\n                                                4\n\x0c   \xe2\x80\xa2   BBG\xe2\x80\x99s enterprise architecture, including an overview of the agency\xe2\x80\x99s global computing\n       environment.\n\nIn addition, five BBG program offices\xe2\x80\x94Computing Services, Engineering and Technical\nServices, Voice of America Broadcast Operations, the Office of Cuba Broadcasting, and the\nOffice of Internet Development\xe2\x80\x94are developing security plans to protect BBG\xe2\x80\x99s 18 mission-\ncritical and 31 nonmission-critical systems that were identified during our evaluation. The\ndevelopment of these security plans, according to BBG officials, is geared toward meeting\nGISRA requirements. Overall, these efforts suggest that BBG is making steady progress toward\nestablishing an effective information security program throughout the agency.\n\nRecommendation 1: We recommend that the Broadcasting Board of Governors direct the Chief\nInformation Officer to complete the development of the agency\xe2\x80\x99s information security program\nby the end of October 2001 and that noted issues in this report be addressed not later than\nOctober 31, 2001, as part of the Board\xe2\x80\x99s remediation process and plan under the Government\nInformation Security Reform Act.\n\nBBG Response\n\n      In commenting on a draft of this report (see Appendix A), the BBG concurred with this\nrecommendation. Also, the BBG noted one factual error in the draft report.\n\nOIG Comment\n\n        The Inspector General accepts this response and considers this recommendation resolved.\nThe BBG should provide OIG with copies of the BBG\xe2\x80\x99s remediation plan when it is submitted to\nthe Office of Management and Budget on October 31, 2001, for consideration in closing this\nrecommendation.\n\n       OIG has corrected the factual error noted by the BBG in its response to the draft report.\n\n\n\n\n                                                5\n\x0c\x0c\x0c'